name: CodeQL

on:
  pull_request:
    branches:
      - main
      - ft/main/**
  push:
    branches:
      - main
      - ft/main/**
  schedule:
    - cron: "45 6 * * 3"

permissions: read-all

jobs:
  check_changes:
    name: Deduce required tests from code changes
    if: ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    outputs:
      go-changes: ${{ steps.go-changes.outputs.src }}
    steps:
      - name: Check code changes
        uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
        id: go-changes
        with:
          filters: |
            src:
              - .github/workflows/lint-codeql.yaml
              - '**/*.go'
              - 'go.mod'
              - 'go.sum'

  analyze:
    needs: check_changes
    if: ${{ needs.check_changes.outputs.go-changes == 'true' || github.event_name != 'pull_request' }}
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
    - name: Checkout repo
      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      with:
        persist-credentials: false
        fetch-depth: 1
    - name: Initialize CodeQL
      uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
      with:
        languages: go
        debug: true
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
